Re: X-Originating-IP a received header?

Tue, 23 Feb 2021 13:42:18 -0800 

On Tue, 23 Feb 2021, Dan Malm wrote:


On 2021-02-23 16:29, John Hardin wrote:

On Tue, 23 Feb 2021, Dan Malm wrote:


On 2021-02-19 16:13, John Hardin wrote:

On Fri, 19 Feb 2021, Dan Malm wrote:


I have a system that received mail from a webmail product that adds a
X-Originating-IP header with the IP of the webmail user.

Since Spamassassin for some reason considers that to be a
Received-header that results in all mails from the webmail hitting the
RDNS_NONE rule (only IP is added in the header) which I currently have
set to 0 due to this.


Could you post a sample of the headers from such? Obfuscate as you like,
I'm just wondering about the order in which they appear.


Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com
[46.30.211.130])
    by mailrelay3 (Halon) with ESMTPSA
    id 89da92dc-72a5-11eb-bf40-fd1a731c465d;
    Fri, 19 Feb 2021 11:28:08 +0000 (UTC)
X-Originating-IP: 46.30.211.29
User-Agent: One.com webmail 39.4.34
Date: Fri, 19 Feb 2021 12:28:08 +0100
MIME-Version: 1.0
Message-ID: <1613734088881.26136.389428@webmail1>
To: <o...@slave.one>
From: "One" <o...@nyck.se>
Reply-To: <o...@nyck.se>
Subject: testing
Content-Type: multipart/alternative;
boundary="----------389426-1613734088881-1"


...and I assume that neither of those addresses are configured as
"internal" for you?


They are currently not, no.

And "X-Originating-IP: 46.30.211.29" is the IP the webserver handling
the webmail saw for this mail, i.e. the user IP, which for normal users
will often be in PBL. It's also the IP that triggers the hit on RDNS_NONE
Which it should not, as it's not the "last external" IP address. That's why I asked for the headers - it seems from this (absent any actual testing) that SA isn't keeping the received-equivalent headers in the correct order with the genuine received headers.
One possible explanation is that the local Received header added by your MTA (presumably mailrelay3) isn't being added before the message is being passed to SA, so the X-Originating-IP header is the only thing that SA is seeing. Did that message hit any "direct-to-MX" rules? 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
 269 days since the first private commercial manned orbital mission (SpaceX)

Reply via email to